If you want your funds back, get inside the hacker’s mind

Understanding the motivations behind a hacker’s actions — from curiosity to malice — is just as crucial as understanding how they executed the hack

by Martin Derka /
article-image

Midjourney modified by Blockworks

share

After a Web3 protocol is hacked, the people affected naturally expect that the protocol will do their very best to recover their lost funds. 

And this task undeniably often involves communicating with the attacker: a crucial step, because the exploiter usually holds all the cards. The hackers have full control of the stolen capital and can choose to communicate with the project — or disappear forever. 

Understanding the mentality of a hacker and their potential motivations is therefore key to a successful outcome (or as successful an outcome can be in the case of an anonymous crypto hack). 

There are many factors behind why an individual would exploit a Web3 project. The ability to find a weakness in a project’s code, as well as the ability to exploit said weakness, can be seen as a sign of competence. And if the attack is somehow novel or unusual, the hacker could see their successful exploit as a point of pride or a claim to bragging rights. Narcissism and hacking go together fairly well.

For blockchain projects, exploits also come with a substantial profit potential. Due to crypto’s decentralized nature, the oft-haziness of a project’s jurisdictions and the idea that “code is law,” hackers can often get away with keeping everything they steal. However, it has recently become more common for hackers to actually return most of their profits in exchange for a promise of immunity, or even in some cases, a “thank you” and a bug bounty reward. This was the case with Curve, Alchemix, HTX, Stars Arena and others. These deals appear to depend on how identifiable the hacker is and how much of the funds they are willing to return. 

Read more from our opinion section: Blockchain needs standards

Some exploiters imply innocence, claiming to be driven by curiosity and exploration. The famous phrase “I accidentally killed it” by the exploiter of the Parity wallet self-destruct vulnerability is a wonderful example — the exploiter claims to have been sending self-destruct instructions to random contracts. Up until their hack actually works, I actually trust that most hackers find themselves in some kind of disbelief that they could actually be successful.

The final and perhaps darkest motivation behind an exploit can be pure hatred: A hacker may execute an exploit just to cause people harm. The attackers can steal funds and never use them, or just burn them forever. In an industry full of passionate philosophers with anarchist tendencies, it should not be too surprising that some hackers would also like to present their actions as some kind of statement. For example, after a recent $48 million hack, Kyber Network depositors and liquidity providers were “offered” a 50% rebate on their funds by the hacker with the words “I know this is probably less than what you wanted. However, it is also more than you deserve.” 

When communicating with a hacker while trying to recover funds, it’s essential that the project takes the hacker’s motivation into account. 

If the exploit was executed by an organized group, the group will most likely not communicate in the first place, and the chance of any funds being returned is unfortunately very low. But if the attacker did not have malicious intentions, like in the case of a white hat hacker just looking to draw attention to a code vulnerability, they will likely reach out alone and arrange for the return of the funds (or whatever is left). 

If the primary motivating factor is financial gain, the affected project offering a substantial reward for indemnity can yield results. The likelihood of this happening increases when the hacker leaves some personally identifiable information behind, like IP addresses recovered either from ISPs, VPN providers or infrastructure providers. This identifying information can also include traces of where they sourced the network funds, like ether, for paying the network fees to execute their hack. Especially under such conditions, the financially motivated hackers face a choice of taking a lot of money illegally, or substantially less — but still a lot of money — with some level of indemnity. 

One still needs to balance the fine line between scaring the attacker away and convincing them that returning the funds is the best outcome for them. This strategy can still be applied when the hacker’s motivation is to cause damage or make a statement — but the likelihood of success is much lower. 

And how does one know where to contact a hacker? It’s easy. They don’t. Hackers themselves have several options for reaching out to the project they hacked. This includes signed messages on-chain or via anonymous social media accounts. If one wants to have a conversation with a hacker, the best thing to do is make it known and offer some convenient communication channel that protects that hacker’s privacy. This will maximize the chance of getting a response.

Understanding the motivations behind a hacker’s actions — from curiosity to malice — is just as crucial as understanding how they executed the hack. Driven by a mix of fascination, financial gain or sometimes even hatred, the thought process of a hacker is as complex as the exploits they execute.

Martin Derka, Ph.D., is the Head of New Initiatives at Quantstamp, a web3 security company. He has years of experience in the development of smart contracts and platforms built on Ethereum, specializing in DeFi security and economic manipulations. At Quantstamp, Martin assists with both securing projects prior to deployment, and crisis management in the aftermath of an exploit.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Tags

Upcoming Events

Permissionless III

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

learn more

recent research

Research report - cover graphics (3).jpg

Research

Across Protocol: Based on Intents

The Across protocol emerges as a dominant bridge within the Ethereum and L2 ecosystem, settling notable volumes with low latency, low fees, and no slippage. Across seeks to expand beyond just bridging as an application, to ultimately become modular, optimistic middleware for settling generalizable cross-chain intents.

by Luke Leasure

/

news

article-image

Op-Ed

AI has a monopoly on power and privacy. Blockchain fixes this.

Crypto and blockchain can provide a safer, fairer, more human-centric collaboration between AI and the rest of us

by Sean (Xiang) Ren /
article-image

Web3

Empire Newsletter: The SEC’s internal rift

SEC Commissioner Mark Uyeda says that the SEC needs to create a “pathway for compliance”

by Michael McSweeney&Katherine Ross /
article-image

DeFi

Vitalik rallies support for temporary smart wallets on Ethereum

New EIP would resolve disagreements around the best path towards universal smart contract wallets by temporarily giving EOAs superpowers

by Macauley Peterson /
article-image

DeFi

After billionth Bitcoin transaction, a look at the network’s evolution

Bitcoin could become “the supreme base settlement layer” as its DeFi capabilities grow, industry founder says

by Ben Strack /
article-image

Policy

Ripple and the SEC’s legal fight continues ahead of final judgment

Ripple’s chief legal officer said that the new filing from the SEC is “more of the same”

by Katherine Ross /
article-image

Op-Ed

Everything in crypto is becoming a game — and that’s good

More than ever before, crypto is unabashedly embracing its most reductionist and obvious purpose — turning everything into a game of buying low and selling high

by Mike Mallazzo /